Developer warns of critical vulnerability in many Samsung smartphones

Hole in Android kernel gives full read-write permissions to all physical memory.

A software developer says he has identified a critical vulnerability in many Samsung smartphone models that can open up end users to malware attacks and expose bank account credentials and other sensitive data to attackers.

The security hole, according to a post published Saturday on the XDA Developer Forum, resides in the Android kernel of Samsung handsets running an Exynos 4210 or 4412 processor. While it creates a new and easier method for end users to root their devices, it also gives installed apps full read-write permissions to all physical memory. That, in turn, allows apps to gain unfettered control of a handset, opening the door to malware with rootkit-like capabilities. It also allows one app to monitor data processed by a second app or the operating system.

"This exploit could be dangerous," XDA developer Joseph Hindy wrote in a follow-up post. "Not only could be used to acquire root access, but for malicious applications as well. So developers will have a fun time helping to fix the issues while using the exploit for root."

Affected devices, according to Hindy, include the Samsung Galaxy Note II, Samsung Galaxy SIII, Meizu MX, and Galaxy S II, among others. The vulnerable libraries, which are located in the /system/lib directories, appear to be connected to the handset camera and other graphics-related functions. The bug makes it possible for attackers to bypass kernel-level system permissions that limit one app's access to data processed by the operating system or other apps.

Following Saturday's disclosure, a different XDA developer released code that offers some protection from the exploit. Readers should carefully consider the pros and cons before installing this app, since it may void handset warranties.

Over the past year, Google has endowed its official Play Store with a cloud-based scanner for detecting malicious apps. The latest version of Android also offers client-side protection for apps that may be obtained from other sources. There are no reports that the Samsung vulnerability is being actively exploited.

All you SIII owners, time to demand a refuned/upgrade/replacement as soon as an ITW threat is out exploiting handsets that are not patched, or if somehow they do get a patch out and it reduces performance or functionality of your device. If Samsung releases the fix and your carrier doesn;t pass it through, time to demand an exit to your contract or a refund of yiour phone from them instead.

Even though I'm an android user and lover, I've long warned that the security patch compliance of these devices is dangerous. 3-6 month patch cycles, and many phones never seeing a patch once they pass 12-18 months old, if they ever see a first one? As soon as there's an actively spreading virus that can hit handsets without user intervention, if things go unpatched, there will be a mass exedous from Android.

Google needs to take back and singly control handset patching, and permanatly seperate all skinned code from the OS itself, enabling any device at any time to be updated by google, bypassing carriers, and if that temporarily breaks carrier modifications, or forces you to load a default skin, so be it, the carriers and manufacturers should not have their code relying on underlying code subject to change anyway. Phones need to be treated like conputers, with security managed centrally, and apps and settings managed by the networks they're connected to. The problem is, Android was so rushed to market, that level of customization was never planned for, and is essentailyl too late to add without compatibility breaking overhauls, and a whole new patent licencing nightmare.

It doesn't affect the dual core Snapdragon chips in the U.S. version GSIII's.

It is a flaw in the memory bounding section of code covering the camera software, which is a portion of the kernel. CM10.1 already has a fix in place.

There are three fixes posted online. Using them may void your warranty.

The one by Chainfire also gives you root when it is done. You can delete the SuperSU app after you install the fix, and you will go back to being unrooted. As far as I can tell, this is the safest and best implementation (I read the entire forum). The others do not require root, but they can be circumvented by a wily developer.

Samsung has been notified, but as usual, they have not responded.

If you have a Quad core Exynos chip such as those in the Note II, and international GSIII, then I suggest you do not allow any programs you download to have access to your camera. At this point that is the attack vector that has proven to work.

This is the reason every provider should require the STOCK Android kernel be used. This problem would not likely exist if every Android phone used the same kernel ( at least the same kernel on any given version of Android ).

I thought Samsung didn't lock their bootloaders? If they don't lock their bootloaders, you don't need an exploit to root, because you can just use the recovery to install su. That's what I did on my devices thus far. Or are they talking about using exploits to gain root with a one-click app without the "extra work" of unlocking the bootloader, installing a custom recovery, and installing su?

This is the reason every provider should require the STOCK Android kernel be used. This problem would not likely exist if every Android phone used the same kernel ( at least the same kernel on any given version of Android ).

How are we as an industry still producing code with such blatant security holes? There's just no way anyone with any security background whatsoever could have reviewed this - it's effectively a basic permissions error.

How are we as an industry still producing code with such blatant security holes? There's just no way anyone with any security background whatsoever could have reviewed this - it's effectively a basic permissions error.

We joke about users not understanding security, but...........

Most developers have a worse (okay, just as bad) understanding of security as the random user. Most developers simply don't care.

How are we as an industry still producing code with such blatant security holes? There's just no way anyone with any security background whatsoever could have reviewed this - it's effectively a basic permissions error.

We joke about users not understanding security, but...........

Most developers have a worse (okay, just as bad) understanding of security as the random user. Most developers simply don't care.

"Most Developers" don't get to make the decisions about what gets released. The corporate types tell them a schedule and they do their best to meet it. And it isn't practical to find all of the problems like this ahead of time anyway. To claim otherwise is to show a great deal of ignorance regarding software development. There are more exploits just like this waiting to be found in every mobile platform and there are many people looking for them.

As soon as there's an actively spreading virus that can hit handsets without user intervention, if things go unpatched, there will be a mass exedous from Android.

Not really a problem. The only way it could spread widely would be if the browser is vulnerable. Luckily browsers are apps that CAN be patched even without carrier agreement. So the only problem could be installed applications. And here everybody who uses the Google App store should be fine. Yes its not 100% safe but the infection risk is very very low. Once an infected program is identified it can be kicked off and if you do not install thousands of obscure apps your danger is close to zero.

Its not the safety of Apples tight embrace but it seems to be safe enough. I have not heard of any widespread Android malware and there is definitely no mass exodus.